Internet2 DDoS Mitigation Service

Internet2 is pleased to offer a cloud-based volumetric Distributed Denial of Service (DDoS) Mitigation Service procured on behalf of the community from a commercial service provider.

Community Effort

After the community encouraged Internet2 to obtain a DDoS Mitigation service, members of the Security Working Group developed requirements for a cloud-based DDoS service to be used in an RFP for the service. The RFP responses were reviewed and rated by a community technical team and then Internet2 negotiated with three high ranking providers. When creating the business model for the service, Internet2 consulted with the Network Architecture, Operations and Policy Program Advisory Group (NAOPpag) as well as a group of regional representatives. A group of technical leaders from the pilot group has met with Internet2 and the service provider to delve into the technical details.

How Does the Service Work?

DDoS Mitigation Service Subscribers procure 1G of clean pipe capacity while being allowed to burst into the available capacity provided by Internet2 on the clean pipe (up to 10G initially). At set up time a VLAN will be configured on the Subscriber’s existing Internet2 connection over which the Subscriber will peer (via BGP) with Internet2's Scrubbing VRF. This VRF, in turn, is configured by Internet2 to peer with the DDoS Mitigation service provider. Using BGP, the Subscriber will provide to the VRF the set of address prefixes that should be scrubbed should the need arise. When an attack is detected, the Subscriber will signal, using a BGP community, the specific subnet (a /24) to be scrubbed. The DDoS Mitigation service provider upon receiving the BGP community indicating the need for scrubbing will advertise the prefix to the greater internet. Traffic will then come into the DDoS Mitigation service provider, which will scrub that traffic and return clean traffic over the VLAN configured at set up time on the Subscriber’s existing Internet2 connection.

The Subscriber’s downstream members (e.g., a university or a K-12 district) have the option to obtain the same direct access services from the provider as the subscriber by choosing the Tenant option, with an associated fee structure. An organization that is downstream from a Subscriber and/or Tenant and that has its own publicly registered Autonomous System Number (public ASN) and does not choose the option to be a Tenant is considered to be a Sub-Tenant of the Subscriber, with associated fees. A Sub-Tenant will not have access to the SOC or the Zenedge Portal. Sub-Tenant fees are not applicable to any organization eligible to receive USF E-Rate funds such as K-12 schools and Libraries.

For an additional fee, the provider also offers a Monitoring service for those Subscribers or Tenants without on-premise appliances for attack detection. With the Monitoring service, netflow records are sent to the service provider’s analytics appliance and the provider is able to notify the Subscriber or Tenant of the need for mitigation.

Internet2 is providing a cloud-based volumetric Distributed Denial of Service (DDoS) Mitigation Service procured from a commercial service provider. The model being used allows members that subscribe to the service to be able to direct attack traffic to the DDoS Mitigation Service provider, and carry the clean traffic back via a VRF on their existing Internet2 connection. Each Subscriber can offer the service to their downstreams. If any downstream would like to have direct access to the Security Operations Center (SOC), the downstream can become a Tenant of the Subscriber.

The features available to Subscribers and Tenants are:

Direct access to the Security Operations Center (SOC) of the provider to initiate mitigation

Access to a portal to review mitigation efforts and subsequent reports

A direct VLAN on the Internet2 network used to:

Peer with Internet2's Scrubbing VRF

Carry clean traffic back to the Subscriber’s routers

For an additional fee, the provider offers a “Monitored Router” service available for those Subscribers or Tenants without on-premise appliances for attack detection. With the Monitoring service, netflow records are sent to the service provider’s analytics appliance and the provider is able to notify the Subscriber or Tenant of the need for mitigation.

How will the DDoS Mitigation service work?

The model being used allows a member to subscribe to the service in 1G increments of clean pipe capacity while being allowed to burst into the available capacity on the clean pipe (up to 10G initially). Currently this bursting will have no additional cost, unless it becomes a regular occurrence for a Subscriber, or Internet2 incurs additional costs. A key to the success of this model is the ability of the community to share in the aggregate amount of “clean pipe” capacity. The service provides scrubbing for commodity traffic and R&E traffic including both IPv4 and IPv6 traffic. Clean traffic will be returned on your Internet2 connection that is provisioned during service onboarding.

Who is eligible to subscribe to the service from Internet2?

The model is to offer this service to R&E Network Members and Connectors and the pricing model will favor this group procuring the service and then sharing costs among its members. However, like all Internet2 services it will also be made available to any Internet2 member institution wishing to procure the service directly. Each entity that procures the service will be referred to as a Subscriber.

What are Subscribers and Tenants?

A Subscriber is the organization that contracts for the DDoS Mitigation Service. A Tenant is a downstream of the Subscriber, either a regional or higher education institution, that is interested in having direct access to the provider Security Operations Center (SOC) to initiate scrubbing, access to a portal to review mitigation efforts and subsequent reports and a direct VRF across the Internet2 network to carry clean traffic to the Tenant’s routers. There is an additional fee for each Tenant.

What features are provided to Subscribers?

Each Subscriber will have:

Direct access to the Security Operations Center (SOC) of the provider to initiate mitigation

Access to a portal to review mitigation efforts and subsequent reports

A direct VRF across the Internet2 network to carry clean traffic to the Subscriber’s routers

What features are provided to Tenants?

Each Tenant will have:

Direct access to the Security Operations Center (SOC) of the provider to initiate mitigation

Access to a portal to review mitigation efforts and subsequent reports

A direct VRF across the Internet2 network to carry clean traffic to the Subscriber’s routers

How was the DDoS Mitigation Service Provider selected?

Working with a group from the Security Working Group, Internet2 developed requirements for a cloud-based DDoS service. Internet2 then issued an RFP and solicited responses from six providers. The RFP responses were reviewed by a community technical team. Based on the ratings of that team, Internet2 negotiated with three high ranking providers.

How was the business model for the service created?

Internet2 gathered input on the proposed business models from the Network Architecture, Operations and Policy Program Advisory Group (NAOPpag) and also convened a group of regional representatives to review the proposed business models.

My organization already has DDoS mitigation tools on-site, does it make sense to obtain this service, too?

The service is being modeled to allow those members who already have DDoS mitigation tools on-site to also include this cloud-based solution.

If a Connector or R&E Network Member procures the services, is it acceptable for them to offer it to their downstream members?

Internet2 encourages Connector/Network Members to, at least initially, subscribe to the service (i.e., become a Subscriber) on behalf of themselves as well as their own members (downstreams). Each downstream that has its own publicly registered Autonomous System Number (public ASN) and does not choose the option to be a Tenant is considered to be a Sub-Tenant of the Subscriber, with associated fees. A Sub-Tenant will not have access to the SOC or the Zenedge Portal. Sub-Tenant fees are not applicable to any organization eligible to receive USF E-Rate funds such as K-12 schools and Libraries.

If a Connector or R&E Network Member procures the services, is it possible for the downstream members to build a VRF and have access to the SOC?

Yes, the Subscriber enrolls its downstream members as Tenants of the Subscriber. A Tenant will have (a) direct access to the provider Security Operations Center (SOC) to initiate scrubbing, (b) access to a portal to review mitigation efforts and subsequent reports and (c) a direct VRF across the Internet2 network to carry clean traffic to the Tenant’s routers. There is an additional fee for each Tenant.

How will the DDoS Mitigation Service be configured?

A VRF will be created between the Subscriber and the DDoS Mitigation Service provider. The Subscriber will provide a list of potential prefixes to the provider and a BGP session will be created between the Subscriber and the provider.

How will the DDoS Mitigation service work?

The service provides scrubbing for commodity traffic and R&E traffic including both IPv4 and IPv6 traffic. Based on the prefix that the Subscriber indicates needs to be scrubbed, the provider announces a more specific route to the internet drawing all traffic for the prefix to their scrubbing center. They scrub the traffic and return the clean traffic to the Subscriber via a VRF on the Subscriber's Internet2 connection that is provisioned during service onboarding.

Are there any options for detection, or is this only mitigation?

This service is a cloud-based volumetric DDoS Mitigation service. The provider does have a “Monitored Router” service available for those Subscribers or Tenants without on-premise appliances for attack detection. With the Monitoring service, netflow records are sent to the service provider’s analytics appliance and the provider is able to notify the Subscriber or Tenant of the need for mitigation. There is an additional fee for this service.